hancitor | 34636f51f1f6be19912cbebdcb4f9eed873a42ffa05e0ad3b00949e57a814cf8 | Triage

Sharing

General

Target

W0rd.dll
Size

329KB
Sample

210204-swqgsl6yqj
MD5

8785d193a5f9fbc93169b4b36ac4531d
SHA1

19d5cf757875b3de0d65c7e36f2f552c57d2cb93
SHA256

34636f51f1f6be19912cbebdcb4f9eed873a42ffa05e0ad3b00949e57a814cf8
SHA512

bae1e03030caa43b8e5b5d5eaa912aede9bb545a9ad8dddec3736f67e43a0c30ad00392733fcccda8c1c9b5143dfe2290504be2ec74a198f2a35111381728b06

Score

10^/10

hancitor 0402_pogi downloader spyware

Malware Config

Extracted

Family

hancitor

Botnet

0402_pogi

C2

http://feirecropl.com/8/forum.php

http://oresteseu.ru/8/forum.php

http://respoishis.ru/8/forum.php

Targets

- Target
  
  W0rd.dll
- Size
  
  329KB
- MD5
  
  8785d193a5f9fbc93169b4b36ac4531d
- SHA1
  
  19d5cf757875b3de0d65c7e36f2f552c57d2cb93
- SHA256
  
  34636f51f1f6be19912cbebdcb4f9eed873a42ffa05e0ad3b00949e57a814cf8
- SHA512
  
  bae1e03030caa43b8e5b5d5eaa912aede9bb545a9ad8dddec3736f67e43a0c30ad00392733fcccda8c1c9b5143dfe2290504be2ec74a198f2a35111381728b06
Score

10^/10

hancitor 0402_pogi downloader spyware
- Hancitor
  Hancitor is downloader used to deliver other malware families.
  downloader hancitor
- Blocklisted process makes network request
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

hancitor0402_pogidownloaderspyware

behavioral2

hancitor0402_pogidownloader